Django: Ticket #20972: messages cookie should follow session cookie secure/httponlyhttps://code.djangoproject.com/ticket/20972
<p>
The cookie created by the CookieStorage backend for django.contrib.messages follows the domain for sessions, from the SESSION_COOKIE_DOMAIN, but not the secure and httponly settings, from SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY.
</p>
<p>
The information in the messages can be very sensitive, like "Patient John Doe succesfully saved", so I do feel strongly we have to fix this. It's probably best to follow the secure/httponly settings for sessions. In the default configuration, cookies will be used for all short messages &lt;2048 bytes, so this is very common.
</p>
<p>
As a sidenote, the SESSION_COOKIE_DOMAIN setting documentation does not mention this is also used for messages. This should probably be added - along with a note in the secure and httponly sessions, assuming this is the path we follow.
</p>
en-usDjangohttps://www.djangoproject.com/s/img/site/hdr_logo.gifhttps://code.djangoproject.com/ticket/20972
Trac 1.0.7erikrMon, 26 Aug 2013 08:01:41 GMTcc, needs_better_patch, needs_tests, needs_docs sethttps://code.djangoproject.com/ticket/20972#comment:1
https://code.djangoproject.com/ticket/20972#comment:1
<ul>
<li><strong>cc</strong>
<em>eromijn@…</em> added
</li>
<li><strong>needs_better_patch</strong>
unset
</li>
<li><strong>needs_tests</strong>
unset
</li>
<li><strong>needs_docs</strong>
unset
</li>
</ul>
TicketerikrMon, 26 Aug 2013 19:38:51 GMThas_patch changedhttps://code.djangoproject.com/ticket/20972#comment:2
https://code.djangoproject.com/ticket/20972#comment:2
<ul>
<li><strong>has_patch</strong>
set
</li>
</ul>
<p>
PR created: <a class="ext-link" href="https://github.com/django/django/pull/1515"><span class="icon">​</span>https://github.com/django/django/pull/1515</a>
</p>
<p>
As a sidenote, anyone concerned about this issue can also avoid it by setting:
<tt>MESSAGE_STORAGE = 'django.contrib.messages.storage.cookie.SessionStorage'</tt>
This will prevent django.contrib.messages from storing messages in cookies at any time, thereby avoiding the issue of any cookie settings, at the cost of a (probably very minor) performance hit.
</p>
TicketErik Romijn <erik@…>Mon, 26 Aug 2013 20:57:32 GMTstatus changed; resolution sethttps://code.djangoproject.com/ticket/20972#comment:3
https://code.djangoproject.com/ticket/20972#comment:3
<ul>
<li><strong>status</strong>
changed from <em>new</em> to <em>closed</em>
</li>
<li><strong>resolution</strong>
set to <em>fixed</em>
</li>
</ul>
<p>
In <a class="changeset" href="https://code.djangoproject.com/changeset/fa572666998bf5dc70d15ec9386d5d3692b264f2" title="Fixed #20972 -- Make messages cookie follow session cookie secure/httponly">fa572666998bf5dc70d15ec9386d5d3692b264f2</a>:
</p>
<div class="message"><p>
Fixed <a class="closed ticket" href="https://code.djangoproject.com/ticket/20972" title="New feature: messages cookie should follow session cookie secure/httponly (closed: fixed)">#20972</a> -- Make messages cookie follow session cookie secure/httponly<br />
</p>
</div>
Ticket